On Sat, Oct 5, 2019 at 1:45 AM Ankur Sharma <ankur.sha...@nutanix.com> wrote: > > For dnat_and_snat rules which are meant to be stateless > instead of using ct_snat/dnat OVN actions, we will use > ipv4.src/ipv4.dst. > > This actions will do 1:1 mapping to inner ip to external ip, > while recalculating the checksums. > > Signed-off-by: Ankur Sharma <ankur.sha...@nutanix.com>
Hi Ankur, There is a checkpatch warning - WARNING: Line is 80 characters long (recommended limit is 79). Please address it. Please see below for few comments. Thanks Numan > --- > northd/ovn-northd.8.xml | 34 +++++++++++++++---- > northd/ovn-northd.c | 86 > +++++++++++++++++++++++++++++++++++++++++++------ > tests/ovn-northd.at | 50 ++++++++++++++++++++++++++++ > 3 files changed, 154 insertions(+), 16 deletions(-) > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > index 0f4f1c1..7d5d102 100644 > --- a/northd/ovn-northd.8.xml > +++ b/northd/ovn-northd.8.xml > @@ -1718,7 +1718,9 @@ icmp6 { > to change the source IP address of a packet from <var>A</var> to > <var>B</var>, a priority-90 flow matches <code>ip && > ip4.dst == <var>B</var></code> with an action > - <code>ct_snat; </code>. > + <code>ct_snat; </code>. If the NAT rule is of type dnat_and_snat > + and has <code>is_stateless=true</code> in the options, then the > action > + would be <code>replace_dst_ip(<var>B</var>)</code>. I think you need to update the documentation as you removed the action - replace_dst_ip in v2. > </p> > > <p> > @@ -1738,7 +1740,10 @@ icmp6 { > <var>B</var>, a priority-100 flow matches <code>ip && > ip4.dst == <var>B</var> && inport == <var>GW</var></code>, > where <var>GW</var> is the logical router gateway port, with an > - action <code>ct_snat;</code>. > + action <code>ct_snat;</code>. If the NAT rule is of type > + dnat_and_snat and has <code>is_stateless=true</code> in the > + options, then the action would be <code>replace_dst_ip Same here and other places too. > + (<var>B</var>)</code>. > </p> > > <p> > @@ -1858,7 +1863,10 @@ icmp6 { > Gateway router is configured to force SNAT any DNATed packet, > the above action will be replaced by > <code>flags.force_snat_for_dnat = 1; flags.loopback = 1; > - ct_dnat(<var>B</var>);</code>. > + ct_dnat(<var>B</var>);</code>. If the NAT rule is of type > + dnat_and_snat and has <code>is_stateless=true</code> in the > + options, then the action would be <code>replace_dst_ip > + (<var>B</var>)</code>. > </li> > > <li> > @@ -1890,7 +1898,10 @@ icmp6 { > <var>B</var>, a priority-100 flow matches <code>ip && > ip4.dst == <var>B</var> && inport == <var>GW</var></code>, > where <var>GW</var> is the logical router gateway port, with an > - action <code>ct_dnat(<var>B</var>);</code>. > + action <code>ct_dnat(<var>B</var>);</code>. If the NAT rule is of > + type dnat_and_snat and has <code>is_stateless=true</code> in the > + options, then the action would be <code>replace_dst_ip > + (<var>B</var>)</code>. > </p> > > <p> > @@ -2553,7 +2564,10 @@ nd_ns { > matches <code>ip && ip4.src == <var>B</var> > && outport == <var>GW</var></code>, where <var>GW</var> > is the logical router gateway port, with an action > - <code>ct_dnat;</code>. > + <code>ct_dnat;</code>. If the NAT rule is of type > + dnat_and_snat and has <code>is_stateless=true</code> in the > + options, then the action would be <code>replace_src_ip > + (<var>B</var>)</code>. > </p> > > <p> > @@ -2611,7 +2625,10 @@ nd_ns { > <code>ip && ip4.src == <var>A</var></code> with an action > <code>ct_snat(<var>B</var>);</code>. The priority of the flow > is calculated based on the mask of <var>A</var>, with matches > - having larger masks getting higher priorities. > + having larger masks getting higher priorities. If the NAT rule is > + of type dnat_and_snat and has <code>is_stateless=true</code> in the > + options, then the action would be <code>replace_src_ip > + (<var>B</var>)</code>. > </p> > <p> > A priority-0 logical flow with match <code>1</code> has actions > @@ -2634,7 +2651,10 @@ nd_ns { > logical router gateway port, with an action > <code>ct_snat(<var>B</var>);</code>. The priority of the flow > is calculated based on the mask of <var>A</var>, with matches > - having larger masks getting higher priorities. > + having larger masks getting higher priorities. If the NAT rule > + is of type dnat_and_snat and has <code>is_stateless=true</code> > + in the options, then the action would be <code>replace_src_ip > + (<var>B</var>)</code>. > </p> > > <p> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index f393ceb..4036392 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -6314,6 +6314,18 @@ copy_ra_to_sb(struct ovn_port *op, const char > *address_mode) > smap_destroy(&options); > } > > +static inline bool > +lrouter_nat_is_stateless(const struct nbrec_nat *nat) > +{ > + const char *is_stateless = smap_get(&nat->options, "is_stateless"); > + > + if (is_stateless && !strcmp(is_stateless, "true")) { > + return true; > + } > + > + return false; > +} > + > static void > build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, > struct hmap *lflows, struct shash *meter_groups) > @@ -7052,6 +7064,7 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap > *ports, > nat = od->nbr->nat[i]; > > ovs_be32 ip, mask; > + bool is_stateless = lrouter_nat_is_stateless(nat); > > char *error = ip_parse_masked(nat->external_ip, &ip, &mask); > if (error || mask != OVS_BE32_MAX) { > @@ -7117,15 +7130,26 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > if (!od->l3dgw_port) { > /* Gateway router. */ > ds_clear(&match); > + ds_clear(&actions); > ds_put_format(&match, "ip && ip4.dst == %s", > nat->external_ip); > + > + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) > { > + ds_put_format(&actions, "ip4.dst=%s; next;", > + nat->logical_ip); > + } else { > + ds_put_cstr(&actions, "ct_snat;"); > + } > + > ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 90, > - ds_cstr(&match), "ct_snat;"); > + ds_cstr(&match), ds_cstr(&actions)); > } else { > /* Distributed router. */ > > /* Traffic received on l3dgw_port is subject to NAT. */ > ds_clear(&match); > + ds_clear(&actions); > + > ds_put_format(&match, "ip && ip4.dst == %s" > " && inport == %s", > nat->external_ip, > @@ -7136,8 +7160,16 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > ds_put_format(&match, " && is_chassis_resident(%s)", > od->l3redirect_port->json_key); > } > + > + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) > { > + ds_put_format(&actions, "ip4.dst=%s; next;", > + nat->logical_ip); > + } else { > + ds_put_cstr(&actions, "ct_snat;"); > + } > + > ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 100, > - ds_cstr(&match), "ct_snat;"); > + ds_cstr(&match), ds_cstr(&actions)); > > /* Traffic received on other router ports must be > * redirected to the central instance of the l3dgw_port > @@ -7172,8 +7204,16 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > ds_put_format(&actions, > "flags.force_snat_for_dnat = 1; "); > } > - ds_put_format(&actions, "flags.loopback = 1; > ct_dnat(%s);", > - nat->logical_ip); > + > + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) > { > + ds_put_format(&actions, "flags.loopback = 1; " > + "ip4.dst=%s; next;", > + nat->logical_ip); > + } else { > + ds_put_format(&actions, "flags.loopback = 1; > ct_dnat(%s);", > + nat->logical_ip); > + } > + > ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 100, > ds_cstr(&match), ds_cstr(&actions)); > } else { > @@ -7192,8 +7232,15 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > od->l3redirect_port->json_key); > } > ds_clear(&actions); > - ds_put_format(&actions, "ct_dnat(%s);", > - nat->logical_ip); > + > + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) > { > + ds_put_format(&actions, "ip4.dst=%s; next;", > + nat->logical_ip); > + } else { > + ds_put_format(&actions, "ct_dnat(%s);", > + nat->logical_ip); > + } > + > ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 100, > ds_cstr(&match), ds_cstr(&actions)); > > @@ -7235,7 +7282,14 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > ds_put_format(&actions, "eth.src = "ETH_ADDR_FMT"; ", > ETH_ADDR_ARGS(mac)); > } > - ds_put_format(&actions, "ct_dnat;"); > + > + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { > + ds_put_format(&actions, "ip4.src=%s; next;", > + nat->external_ip); > + } else { > + ds_put_format(&actions, "ct_dnat;"); > + } > + > ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 100, > ds_cstr(&match), ds_cstr(&actions)); > } > @@ -7251,7 +7305,14 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > ds_put_format(&match, "ip && ip4.src == %s", > nat->logical_ip); > ds_clear(&actions); > - ds_put_format(&actions, "ct_snat(%s);", > nat->external_ip); > + > + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) > { > + ds_put_format(&actions, "ip4.src=%s; next;", > + nat->external_ip); > + } else { > + ds_put_format(&actions, "ct_snat(%s);", > + nat->external_ip); > + } > > /* The priority here is calculated such that the > * nat->logical_ip with the longest mask gets a higher > @@ -7280,7 +7341,14 @@ build_lrouter_flows(struct hmap *datapaths, struct > hmap *ports, > ds_put_format(&actions, "eth.src = "ETH_ADDR_FMT"; ", > ETH_ADDR_ARGS(mac)); > } > - ds_put_format(&actions, "ct_snat(%s);", > nat->external_ip); > + > + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) > { > + ds_put_format(&actions, "ip4.src=%s; next;", > + nat->external_ip); > + } else { > + ds_put_format(&actions, "ct_snat(%s);", > + nat->external_ip); > + } > > /* The priority here is calculated such that the > * nat->logical_ip with the longest mask gets a higher > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at > index 42033d5..64511a9 100644 > --- a/tests/ovn-northd.at > +++ b/tests/ovn-northd.at > @@ -966,3 +966,53 @@ OVS_WAIT_UNTIL([ovn-sbctl get Port_Binding ${uuid} > options:redirect-type], [0], > ]) > > AT_CLEANUP > + Can you add a new test case or modify an existing test case in ovn.at to make use of this feature ? > +AT_SETUP([ovn -- check stateless dnat_and_snat rule]) > +AT_SKIP_IF([test $HAVE_PYTHON = no]) > +ovn_start > + > +ovn-sbctl chassis-add gw1 geneve 127.0.0.1 > + > +ovn-nbctl lr-add R1 > +ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24 > + > +ovn-nbctl ls-add S1 > +ovn-nbctl lsp-add S1 S1-R1 > +ovn-nbctl lsp-set-type S1-R1 router > +ovn-nbctl lsp-set-addresses S1-R1 router > +ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1 > + > +ovn-nbctl lrp-set-gateway-chassis R1-S1 gw1 > + > +uuid=`ovn-sbctl --columns=_uuid --bare find Port_Binding > logical_port=cr-R1-S1` > +echo "CR-LRP UUID is: " $uuid > + > +ovn-nbctl lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11 > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_snat | wc -l], [0], [2 > +]) There is a chance that the test case might fail on slower systems if ovn-northd is not fast enough to add the necessary logical flows. For the above first check, I would suggest to use - OVS_WAIT_UNTIL. > + > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_dnat | wc -l], [0], [2 > +]) > + > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.dst=| wc -l], [0], [0 > +]) > + > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.src=| wc -l], [0], [0 > +]) > + > +ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1 > + > +ovn-nbctl --stateless lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11 > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_snat | wc -l], [0], [0 > +]) > + Same here. Please use OVS_WAIT_UNTIL. > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_dnat | wc -l], [0], [0 > +]) > + > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.dst=| wc -l], [0], [2 > +]) > + > +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.src=| wc -l], [0], [2 > +]) > + > +AT_CLEANUP > -- > 1.8.3.1 > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev